NavyIT
asked on
Upgrading DC from 2003 to 2008
I am trying to upgrade my domain controller to Windows 2008 from Windows 2003. I stood up the new server and promoted it to a DC in the same domain and promoted it to a global catalog server. I also installed DNS and transferred the FSMO roles to the 2008 server. Everything seemed to be fine, Active Directory and DNS were replicating to the new server..
When I tried to demote the old server, I received a caution that there was no other Active Directory DC's in the forest. I then tried shutting off the old DC and all computers lost connection to the domain... I also noticed that when I bring up \\NEWDC my SYSVOL and NETLOGON shares are missing..
I have never had this problem on any other domain so I was hoping I could find answers here.. Any help would be greatly appreciated..
When I tried to demote the old server, I received a caution that there was no other Active Directory DC's in the forest. I then tried shutting off the old DC and all computers lost connection to the domain... I also noticed that when I bring up \\NEWDC my SYSVOL and NETLOGON shares are missing..
I have never had this problem on any other domain so I was hoping I could find answers here.. Any help would be greatly appreciated..
you mistyped on the FSMO command Ken....I know what you meant though...and it happens to all of us
netdom /query fsmo
netdom /query fsmo
sorry about that, thanks Mike
As others pointed out, if sysvol/netlogon are inaccessible, the replication did not complete. Check to see whether there are errors that prevent the replication.
One the replication completes and it does not prevent the DC from serving the domain, you should make sure that the IP of the new DC is included in the DNS/Name server settings pushed from the DHCP.
One the replication completes and it does not prevent the DC from serving the domain, you should make sure that the IP of the new DC is included in the DNS/Name server settings pushed from the DHCP.
ASKER
The new DC holds the following FSMO roles: Schema Master, Domain naming master, PDC, RID pool manager, Infrastructure master
I had to sanitize the dcdiag b/c this DC is on a classified network..
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC 1
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC 1
Starting test: Advertising
Warning: DsGetDcName returned information for
\\DC.domain, when we were trying to reach DC1.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC1 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=(remo ved),DC=(r emoved),DC =(removed) ,DC=(remov ed),DC=(re moved)
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=(remo ved),DC=(r emoved),DC =(removed) ,DC=(remov ed),DC=(re moved)
......................... DC1 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC1\netlogon)
[DC1] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x80009008
Time Generated: 11/19/2010 05:55:05
Event String:
No suitable default server credential exists on this system. This wi
ll prevent server applications that expect to make use of the system default cre
dentials from accepting SSL connections. An example of such an application is th
e directory server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.
An Warning Event occurred. EventID: 0x8000A008
Time Generated: 11/19/2010 06:09:07
Event String:
The Security System has received an authentication request that coul
d not be decoded. The request has failed.
An Error Event occurred. EventID: 0x80000017
Time Generated: 11/19/2010 06:14:25
Event String:
The KDC received invalid messages of type changepassword.
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : (Domain)
Starting test: CheckSDRefDom
......................... (Domain) passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... (Domain) passed test CrossRefValidation
Running enterprise tests on : (FQDN)
Starting test: LocatorCheck
......................... (FQDN) passed test
LocatorCheck
Starting test: Intersite
......................... (FQDN) passed test
Intersite
I had to sanitize the dcdiag b/c this DC is on a classified network..
Directory Server Diagnosis
Performing initial setup:
Trying to find home server...
Home Server = DC1
* Identified AD Forest.
Done gathering initial info.
Doing initial required tests
Testing server: Default-First-Site-Name\DC
Starting test: Connectivity
......................... DC1 passed test Connectivity
Doing primary tests
Testing server: Default-First-Site-Name\DC
Starting test: Advertising
Warning: DsGetDcName returned information for
\\DC.domain, when we were trying to reach DC1.
SERVER IS NOT RESPONDING or IS NOT CONSIDERED SUITABLE.
......................... DC1 failed test Advertising
Starting test: FrsEvent
There are warning or error events within the last 24 hours after the
SYSVOL has been shared. Failing SYSVOL replication problems may cause
Group Policy problems.
......................... DC1 passed test FrsEvent
Starting test: DFSREvent
......................... DC1 passed test DFSREvent
Starting test: SysVolCheck
......................... DC1 passed test SysVolCheck
Starting test: KccEvent
......................... DC1 passed test KccEvent
Starting test: KnowsOfRoleHolders
......................... DC1 passed test KnowsOfRoleHolders
Starting test: MachineAccount
......................... DC1 passed test MachineAccount
Starting test: NCSecDesc
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=ForestDnsZones,DC=(remo
Error NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS doesn't have
Replicating Directory Changes In Filtered Set
access rights for the naming context:
DC=DomainDnsZones,DC=(remo
......................... DC1 failed test NCSecDesc
Starting test: NetLogons
Unable to connect to the NETLOGON share! (\\DC1\netlogon)
[DC1] An net use or LsaPolicy operation failed with error 67,
The network name cannot be found..
......................... DC1 failed test NetLogons
Starting test: ObjectsReplicated
......................... DC1 passed test ObjectsReplicated
Starting test: Replications
......................... DC1 passed test Replications
Starting test: RidManager
......................... DC1 passed test RidManager
Starting test: Services
......................... DC1 passed test Services
Starting test: SystemLog
An Warning Event occurred. EventID: 0x80009008
Time Generated: 11/19/2010 05:55:05
Event String:
No suitable default server credential exists on this system. This wi
ll prevent server applications that expect to make use of the system default cre
dentials from accepting SSL connections. An example of such an application is th
e directory server. Applications that manage their own credentials, such as the
internet information server, are not affected by this.
An Warning Event occurred. EventID: 0x8000A008
Time Generated: 11/19/2010 06:09:07
Event String:
The Security System has received an authentication request that coul
d not be decoded. The request has failed.
An Error Event occurred. EventID: 0x80000017
Time Generated: 11/19/2010 06:14:25
Event String:
The KDC received invalid messages of type changepassword.
......................... DC1 failed test SystemLog
Starting test: VerifyReferences
......................... DC1 passed test VerifyReferences
Running partition tests on : ForestDnsZones
Starting test: CheckSDRefDom
......................... ForestDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... ForestDnsZones passed test
CrossRefValidation
Running partition tests on : DomainDnsZones
Starting test: CheckSDRefDom
......................... DomainDnsZones passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... DomainDnsZones passed test
CrossRefValidation
Running partition tests on : Schema
Starting test: CheckSDRefDom
......................... Schema passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Schema passed test CrossRefValidation
Running partition tests on : Configuration
Starting test: CheckSDRefDom
......................... Configuration passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... Configuration passed test CrossRefValidation
Running partition tests on : (Domain)
Starting test: CheckSDRefDom
......................... (Domain) passed test CheckSDRefDom
Starting test: CrossRefValidation
......................... (Domain) passed test CrossRefValidation
Running enterprise tests on : (FQDN)
Starting test: LocatorCheck
......................... (FQDN) passed test
LocatorCheck
Starting test: Intersite
......................... (FQDN) passed test
Intersite
Depending on what limitation and how much data needs to be replicated it seems it time should get the replication done.
https://www.experts-exchange.com/questions/23337964/NTDS-Connections-tab-Replicate-To.html
The computer machine password does not match, you may need to make sure it is correct on the new DC
http://support.microsoft.com/kb/325850
It seems that you transferred the roles soon after the new DC joined the domain?
Not sure whether it would be better to transfer the roles back to the windows 2003 system and let the data replicate. (make sure you have a current system state backup.)
http://www.petri.co.il/forums/showthread.php?t=24776
https://www.experts-exchange.com/questions/23337964/NTDS-Connections-tab-Replicate-To.html
The computer machine password does not match, you may need to make sure it is correct on the new DC
http://support.microsoft.com/kb/325850
It seems that you transferred the roles soon after the new DC joined the domain?
Not sure whether it would be better to transfer the roles back to the windows 2003 system and let the data replicate. (make sure you have a current system state backup.)
http://www.petri.co.il/forums/showthread.php?t=24776
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
This question has been classified as abandoned and is being closed as part of the Cleanup Program. See my comment at the end of the question for more details.
Can you run
"netdom /quest fsmo" to see what server holds the fsmo roles
then run dcdiag on both DCs and post the results.